It wouldn’t take an internal auditor long to spot the internal control problem with the former spending approval process at Wescom Solutions. An accounting manager, Nadia Minetto, was responsible for approving all spending on company cards at the Mississauga, Ontario-based software company, including her own.
That means if she made fraudulent purchases, she could easily approve them in the accounting system herself, and no one would ever see them. And that’s exactly what she did. During a period of nearly three years, Minetto bought thousands of iPads and iPhones on her corporate American Express card and fenced them through a contact she had made with on online ad, according to a report in Canada’s National Post. When she was finally caught, Wescom determined that she had stolen more than C$6.8 million ($5.1 million) mostly in purchases of Apple products that she then resold to pocket the cash.
A consultant, who was reviewing transactions as Wescom considered becoming a publicly traded company, discovered the improper purchases. Minetto eventually admitted the fraud and consented to a judgment in the amount of C$6,832,000 plus interest. (Wescom did not press charges against the former employee.) Wescom also won a judgment for more than $5 million against Gabriel Fung, whom Minetto sold most of the electronics to.
While most companies have controls, such as separation of duties, periodic reviews, and others, to prevent such simple frauds from occurring, the case serves as a reminder to put internal controls and safeguards around the use of corporate cards by employees to prevent fraud.
Recommended Controls
The consulting and accounting firm of Alexander Aronson Finning CPAs (AAFCPAs) recommends the following internal controls to govern and oversee the use of company credit cards.
- Develop a written policy – Organizations should document a credit card policy that details the rules for using the card, and includes the acknowledgement that the employee takes responsibility for the card and agrees to follow the guidelines and use the card only for business purposes. The written policy should address issues such as:
- When are receipts required?
- When do charges need to be pre-approved, and what is the process for seeking approval?
- What are permitted and prohibited transactions?
- Who receives the credit card incentive rewards?
- What are the consequences when an employee deviates from the policy?
- Prohibit personal expenditures – Company credit cards should only to be used for company-related purchases.
- Limit credit card usage – Cards should be used only when necessary, and when another form of payment is impracticable. In addition, companies should only issue credit cards to employees who truly need them, and should try to keep the overall number of credit cards at the organization as low as possible. Management should also regularly review the credit card limit of each card to determine if the amount is appropriate.
- Require employees to sign-off on policy – Each employee who is issued a credit card should sign off on the credit card policy before the card is issued.
- Store in a safe location – Each employee with a credit card should make sure it is secured in a safe location.
- Have Board approve issuance – For nonprofit organizations, the Board of Directors should formally approve the issuance of credit cards.
- Establish spending limits – Each employee who has a credit card should have a limit that is appropriate for their typical expenditure levels.
- Have bills approved by a supervisor or management – Employees’ monthly original credit card bills should be approved by their manager or another supervisor, and this review should be evidenced, for example, by a signature on the bills or an electronic bill sign-off. For nonprofit organizations, senior management’s credit card statements and supporting receipts should be reviewed by a member of the Finance Committee or Board on a periodic basis.
- Reconcile monthly – The monthly credit card bills should be reconciled timely to receipts by the Finance Office. The Finance Office should follow up promptly on any missing receipts.
AAFCPAs recommends that clients review their credit card policy and practices to ensure that controls are adequate and that the policy is comprehensive. If Wescom had done that, it likely would have discovered Minetto’s fraud much sooner. As it stands, the company hasn’t been able to recover much of the stolen funds. Although she was forced to sell her luxury Mercedes and Audi automobiles and give the funds to Wescom, Minetto claims she doesn’t really know where most of the money went.